Verifying windows binary on initial download

Hello Everyone,


  • I have used syncthing for around a year on many of my devices.
  • I am returning to windows and wanted to install the base syncthing; this is where i ran into an issue verifying the downloaded binary.
  • I couldn’t find a similar question on the forum other then this one, but the solution points to the security page which is a broken link. That solution also seems to use gpg and I rather use the stsigntool if that is a possibility.

What i did:

  • read the release signing page
  • Download v1.27.1 base for windows (amd64)
  • Extract files; open terminal in the new extracted folder
  • I previously installed go and the stsigntool from syncthing’s github repository
  • ran this command:
    stsigntool verify ./metadata/release.sig ./syncthing.exe
    which returned
    incorrect signature
    Note there is no syncthing.exe.sig file like the release signing page suggests.

    I downloaded and ran the above commands on a mac; i plan to verify on mac and then move the binary to my windows laptop.

I am looking for help on what I missed:

  1. Did i understand the signing page correctly?
  2. Where is the syncthing.exe.sig file?

It’s at nowadays. The process described there should work now, as it did then.

The signing mechanism evolved slightly (several years ago), and stsigtool wasn’t updated to check signatures according to the new format, unfortunately. The signature file is the one you found, metadata/release.sig, but it’s no longer a straight signature of just the bytes in the exe file. We’d need to update stsigtool to process the archive itself for it to be easy to use. The old-style exe-only signature was removed (also years ago) because it was no longer used by anything…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.